Privacy Policy

Effective Date: January 2026 Last Updated: January 2026

Our Privacy Philosophy

ThreatMitigator is built with a simple principle: we don’t collect your data because we don’t need to.

Unlike traditional SaaS security tools, ThreatMitigator runs entirely on your infrastructure. We don’t operate cloud services, we don’t track users, and we don’t collect telemetry.

This privacy policy is intentionally short because we have very little data to discuss.

What We DON’T Collect

No Infrastructure Data

• Your Terraform configurations
• Your threat models
• Your scan results
• Your security assessments
• Your custom rules

Why: ThreatMitigator runs locally. Your infrastructure data never leaves your environment.

No Usage Telemetry

• Which features you use
• How often you run scans
• What errors you encounter
• Performance metrics from your scans

Why: We don’t phone home. ThreatMitigator works completely offline.

No User Tracking

• IP addresses
• Browser fingerprints
• Analytics cookies
• Session tracking
• Device information

Why: This website is static and doesn’t use tracking scripts.

No Account Data (For Community Edition)

• Email addresses
• User accounts
• Login credentials
• Profile information

Why: Community edition requires no account. Download and use freely.

What We DO Collect (Minimal)

This Website (threatmitigator.app)

Server Logs (Standard web hosting)

• Our hosting provider (Cloudflare Pages) may temporarily log:
  • IP addresses
  • Page requests
  • Referrer information
  • User agent strings
• Retention: Automatically deleted within 24 hours
• Purpose: DDoS protection and error debugging
• Control: Use a VPN to mask your IP if preferred

No Analytics

• We do not use Google Analytics, Mixpanel, or similar services
• No tracking pixels or third-party cookies
• No behavioral tracking

Professional & Enterprise Customers

Billing Information (Stripe)

• If you purchase a Professional or Enterprise plan:
  • Name and email (required for invoices)
  • Payment information (processed by Stripe, not stored by us)
  • Company name (optional)
• Purpose: Payment processing and customer support
• Storage: Encrypted in Stripe’s secure infrastructure
• Retention: As required by law for tax purposes (typically 7 years)
• Your Rights: Request deletion after account cancellation (subject to legal requirements)

Support Communications

• If you email support@threatmitigator.app:
  • Email address
  • Message content
  • Attachments (if provided)
• Purpose: Providing customer support
• Storage: Our secure email system
• Retention: Until issue is resolved + 1 year for reference
• Your Rights: Request deletion at any time

Optional AI Features

Bring Your Own Model (BYOM)

If you enable AI-powered remediation features:

What ThreatMitigator Sends:

• Specific threat details you query
• Relevant infrastructure context
• Your explicit question

Where It Goes:

• Directly to YOUR chosen LLM provider (OpenAI, Anthropic, or Ollama)
• Using YOUR API keys
• Under YOUR provider’s privacy policy

What ThreatMitigator DOESN’T See:

• We have no visibility into AI queries
• We don’t proxy or log AI requests
• All communication is direct: your machine → your LLM provider

Your Options:

• Use OpenAI with your corporate account
• Use Anthropic Claude with your API key
• Use Ollama locally for 100% offline AI (no external calls)

Privacy Responsibility:

• Review your chosen provider’s privacy policy:
  • OpenAI Privacy Policy
  • Anthropic Privacy Policy
  • Ollama (local): No external data sharing

Data We Process Locally (On Your Machine)

ThreatMitigator processes data on your infrastructure, not ours:

• Terraform configurations - Parsed locally, never transmitted
• Threat models - Stored in your Git repository
• Scan results - Written to local files with 0600 permissions
• Custom rules - Read from your filesystem

This data never leaves your environment.

Cookies

This Website

• Session Cookies: None
• Analytics Cookies: None
• Advertising Cookies: None

We don’t use cookies on threatmitigator.app.

Documentation Site (docs.threatmitigator.app)

• May use minimal cookies for navigation and search functionality
• No tracking or analytics cookies

Third-Party Services

What We Use

Cloudflare Pages (Website Hosting)

• Hosts this website
• Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Data: Temporary server logs (deleted within 24 hours)

Stripe (Payment Processing - Professional/Enterprise only)

• Processes payments for paid plans
• Privacy Policy: https://stripe.com/privacy
• Data: Billing information, encrypted and secure

What We DON’T Use

• Google Analytics
• Facebook Pixel
• Advertising networks
• Behavioral tracking tools
• Data brokers

Your Rights

Community Edition Users

Since we don’t collect your data, there’s no data to:

• Request access to
• Request correction of
• Request deletion of

You have complete control because everything runs locally.

Professional/Enterprise Customers

Under GDPR and CCPA, you have the right to:

Access - Request a copy of your data (billing info, support emails)

Correction - Update incorrect information

Deletion - Request deletion of your account and data (subject to legal retention requirements)

Portability - Export your data in common formats

Objection - Object to processing (though we process minimal data)

Contact: privacy@threatmitigator.app

Data Security

Local-First Security

Since ThreatMitigator runs on your infrastructure:

• You control security of your threat models and scans
• You control access to ThreatMitigator reports
• You control encryption of stored data
• You control backups and retention

We recommend:

• Store threat models in private Git repositories
• Use encrypted filesystems for sensitive data
• Restrict file permissions (ThreatMitigator uses 0600 by default)
• Follow your organization’s data handling policies

Our Security

For data we do handle (billing, support):

• Encrypted in transit (TLS 1.3)
• Encrypted at rest (AES-256)
• Access restricted to authorized personnel
• Regular security audits
• Secure password practices (bcrypt hashing)

Children’s Privacy

ThreatMitigator is a developer tool not directed at children under 13. We do not knowingly collect information from children.

If you believe a child has provided us with personal information, contact privacy@threatmitigator.app.

International Data Transfers

Community Edition

No data is transferred internationally because no data is collected.

Professional/Enterprise

• Billing data may be processed by Stripe in the United States
• We comply with GDPR for EU customers
• Standard Contractual Clauses used where required

Changes to This Privacy Policy

We may update this Privacy Policy to reflect:

• Changes in laws or regulations
• New features or services
• Customer feedback

We will notify you of material changes by:

• Posting notice on this page
• Updating the “Last Updated” date
• Emailing Professional/Enterprise customers (if applicable)

Previous versions will be archived and available upon request.

California Privacy Rights (CCPA)

What We Collect (California Residents)

Community Edition: None

Professional/Enterprise:

• Name, email, billing information (for payment processing)
• Support communications (for customer service)

Your CCPA Rights

California residents have the right to:

Know - What personal information we collect and how it’s used

Delete - Request deletion of personal information (subject to exceptions)

Opt-Out - We don’t sell personal information (nothing to opt-out of)

Non-Discrimination - Exercise rights without discriminatory treatment

Contact: privacy@threatmitigator.app

European Privacy Rights (GDPR)

Legal Basis for Processing

We process personal data under:

Contract - Billing information to fulfill service agreements

Legitimate Interest - Support communications to provide customer service

Consent - Marketing emails (opt-in only, easy unsubscribe)

Your GDPR Rights

EU residents have the right to:

• Access personal data
• Rectify inaccurate data
• Erase data (“right to be forgotten”)
• Restrict processing
• Data portability
• Object to processing
• Withdraw consent

Contact our DPO: privacy@threatmitigator.app

Data Retention

Community Edition

No data retained (none collected).

Professional/Enterprise

Billing Records: 7 years (tax law requirements)

Support Emails: Until resolved + 1 year for reference

Account Data: Until account deletion requested

Logs: 24 hours (automatic deletion)

Contact Us

Questions about this Privacy Policy?

Email: privacy@threatmitigator.app

Address: ThreatMitigator [Your Address - Update This]

Response Time: Within 30 days for privacy requests

Transparency Report

We believe in transparency. As of January 2026:

• Data breaches: 0
• Government data requests: 0
• Law enforcement requests: 0
• User data sold: 0 (we don’t sell data)

We will update this annually and notify users of any incidents.

Summary

The short version:

ThreatMitigator runs on your infrastructure, not ours We don’t collect your infrastructure data or threat models No telemetry, tracking, or analytics Optional AI uses your API keys directly Minimal billing data for paid plans (processed by Stripe) Open source and auditable

Your data is yours. We built ThreatMitigator that way on purpose.

Last Updated: January 2026